[ 
https://issues.apache.org/jira/browse/WW-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362315#comment-16362315
 ] 

Nate commented on WW-4918:
--------------------------

[~yasser.zamani] I have updated the affects version with the current Struts 
version. I have posted below the results of a dir /b *.jar in the lib folder, 
although I have removed 2 jars from the list which included the name of our 
company, neither of which were used anywhere near our frontend code (something 
related to our product license and a database abstraction layer).

activation.jar
aopalliance.jar
asm-commons.jar
asm-tree.jar
asm.jar
atlassian-osuser.jar
axis.jar
bndlib.jar
c3p0.jar
cdi-api.jar
classmate.jar
com.springsource.antlr.jar
com.springsource.javax.xml.stream.jar
com.springsource.net.sf.cglib.jar
com.springsource.org.apache.commons.beanutils.jar
com.springsource.org.apache.commons.cli.jar
com.springsource.org.apache.commons.collections.jar
com.springsource.org.apache.commons.io.jar
com.springsource.org.apache.commons.lang.jar
com.springsource.org.apache.commons.net.jar
com.springsource.org.apache.log4j.jar
com.springsource.org.apache.log4j.sub.jar
com.springsource.org.apache.oro.jar
com.springsource.org.apache.velocity.jar
com.springsource.org.apache.xml.resolver.jar
com.springsource.org.xmlpull.jar
commons-codec.jar
commons-compress.jar
commons-dbcp.jar
commons-digester.jar
commons-discovery.jar
commons-fileupload.jar
commons-httpclient.jar
commons-io.jar
commons-lang3.jar
commons-logging.jar
commons-pool.jar
commons-resources.jar
commons-validator.jar
displaytag.jar
dojo13.jar
dojo18.jar
dojo19.jar
dom4j.jar
ezlicrun.jar
freemarker.jar
hibernate-c3p0.jar
hibernate-commons-annotations.jar
hibernate-core.jar
hibernate-entitymanager.jar
hibernate-jpa-2.1-api.jar
hibernate-osgi.jar
hsqldb.jar
httpclient.jar
httpcore.jar
itext.jar
jaasmodules.jar
jackson-annotations.jar
jackson-core-asl.jar
jackson-core.jar
jackson-databind.jar
jackson-jaxrs.jar
jackson-mapper-asl.jar
jackson-mrbean.jar
jackson-smile.jar
jackson-xc.jar
jakarta-unstandard.jar
jandex.jar
jasperreports.jar
javassist.jar
javax.el-api.jar
javax.inject.jar
javax.interceptor-api.jar
jaxb-api.jar
jaxb-impl.jar
jaxb-xjc.jar
jaxrpc-api.jar
jboss-logging.jar
jboss-transaction-api_1.2_spec.jar
jcommon.jar
jdom.jar
jfreechart.jar
jsoup.jar
jstl.jar
log4j-api.jar
mail.jar
mchange-commons-java.jar
ncso.jar
notes.jar
ognl.jar
ojb.jar
ops4j-base-io.jar
ops4j-base-lang.jar
ops4j-base-monitors.jar
ops4j-base-store.jar
ops4j-base-util-property.jar
org.apache.servicemix.bundles.jsch.jar
pax-swissbox-property.jar
pax-url-commons.jar
poi.jar
rome.jar
s2datepicker.jar
saaj-api.jar
slf4j-api.jar
slf4j-log4j12.jar
soap60.jar
spring-aop.jar
spring-asm.jar
spring-beans.jar
spring-context-support.jar
spring-context.jar
spring-core.jar
spring-expression.jar
spring-oxm.jar
spring-test.jar
spring-web.jar
spring-webmvc.jar
standard.jar
stax2-api.jar
struts-layout.jar
struts.jar
struts2-core.jar
struts2-dojo-plugin.jar
struts2-json-plugin.jar
templates.jar
tfs.sdk.jar
tinybundles.jar
truelicense.jar
trueswing.jar
truexml.jar
vt-ldap.jar
woodstox-core-asl.jar
wsdl4j.jar
xercesImpl.jar
xml-apis.jar
xmlrpc.jar
xstream.jar
xwork-core.jar

> buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods 
> defined in struts.xml
> ---------------------------------------------------------------------------------------------------
>
>                 Key: WW-4918
>                 URL: https://issues.apache.org/jira/browse/WW-4918
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.5.14.1
>            Reporter: Nate
>            Priority: Major
>
> I have the following action (slightly edited to remove identifying info):
> {code:xml}
> <action name="userEdit" class="struts2package.actions.user.UserEditAction">
>  <interceptor-ref name="defaultStack">
>  <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters 
> and the resetSelectedVersion parameter-->
>  <param 
> name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
>  <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
>  </interceptor-ref>
>  <interceptor-ref name="token">
>  <param name="excludeMethods">input,back,refresh,cancel,browse</param>
>  </interceptor-ref>
>  <interceptor-ref name="struts2ActionErrorInterceptor"/>
>  <interceptor-ref name="struts1ErrorMessageInterceptor"/>
>  <result name="input">/jsp/user/userEdit.jsp</result>
>  <result name="error" type="redirectAction">
>  <param name="actionName">displayUserEdit.action</param>
>  </result>
>  <result name="redirectToUserOverview" type="redirectAction">
>  <param name="actionName">userOverviewRetained.action</param>
>  <param name="globalInfo">info.transaction_success</param>
>  </result>
>  <result name="success">/jsp/user/userEdit.jsp</result>
>  <result name="back" type="redirect">${backUrl}</result>
>  </action>
> {code}
> And the following global allowed methods:
> {code:xml}
> <global-allowed-methods>update,execute</global-allowed-methods>
> {code}
> And these buttons:
>  
> {code:xml}
> <div class="buttonRow">
>  <%-- The 'Save' button --%>
>  <input value="Save"
>  type="submit" class="button" name="method:update" />
> <%-- The 'Refresh' button --%>
>  <input value="Refresh"
>  type="submit" class="button" name="method:refresh"
>  id="refreshButton" />
> <%-- The 'Back' button --%>
>  <input value=Back"
>  type="submit" class="button" name="method:back" />
>  </div>
> {code}
>  
> As you can see, the update method is defined in the global-allowed-actions 
> list, but the refresh and back methods aren't. However, what happens is that 
> the update button with the update method works and updates the user, the 
> refresh action shows the "method is not allowed" error screen and doesn't 
> update the user(both as expected since update is defined in the allowed 
> methods and refresh isn't), but the back button DOES actually work even 
> though it's not explicitly defined in the global-allowed-methods section.
>  
> I'm trying to understand why out of 2 methods both not defined as 
> allowed-methods, one is correctly blocked  as "not allowed" while the other 
> is still allowed through. If I add ",refresh" to the global-allowed-methods 
> and restart tomcat, the refresh button ends up working afterwards as 
> expected, and the back button stays functional. I don't use the plugin that 
> adds the Allowed Methods annotation, and this same situation also happens 
> when using s:submits with method="back" defined, even if there is already a 
> method defined on the action entry in struts.xml.
> Update: I have done some more testing, and it appears that another action 
> with similar definition but a different method (method:delete on an 
> AntDeleteAction) also works without having to explicitly define delete on the 
> global allowed methods list.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to